Acegi Security Reference Documentation Part I. Overall Architecture
和大多数软件一样,Acegi Security也有一些核心接口、类、抽象类在框架中普遍使用。In this part of the reference guide we will introduce Acegi Security, before examining these central elements that are necessary to successfully planning and executing an Acegi Security integration.
第一张:介绍
1.1. Acegi Security是什么?
Acegi Security provides comprehensive security services for J2EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework,which is the leading J2EE solution for enterprise software development. If you're not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Acegi Security more easily.People use Acegi Security for many reasons, but most are drawn to the project after finding the security features of J2EE's Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios. Whilst mentioning these standards, it's important to recognise
that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application's security in the new target environment. Using Acegi Security overcomes these problems, and also brings you dozens of other useful, entirely customisable security features.
你也许知道,安全验证包含两个主要操作。第一个就是身份验证(authentication"),which is the process of establishing a principal is who they claim to be. A "principal" 通常意思是一个用户、设备或者其他系统,能够执行一些操作在你的应用程序中。授权(Authorization)则是指决定一个principal是否有权限在你的应用程序中执行某个动作的处理。要达到这点(执行这个操作)必须要先通过身份验证(authorization ),该principal的身份已经通过authentication处理流程并建立了连接。这些都是普通的概念,并不是Acegi Security中特有的。对于身份验证,Acegi Security提供了a range of authentication models.大部分身份验证模型是第三方提供的或者相关的标准框架开发的,例如the Internet Engineering Task Force。另外,Acegi Security提供了一套它自己的身份验证特性。特别是,Acegi Security支持一下技术来验证身份:
? HTTP BASIC authentication headers (an IEFT RFC-based standard)
? HTTP Digest authentication headers (an IEFT RFC-based standard)
? HTTP X.509 client certificate exchange (an IEFT RFC-based standard)
? LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
? Form-based authentication (for simple user interface needs)
? Computer Associates Siteminder
? JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single sign on system)
? Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
? Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
? Anonymous authentication (allowing every call to automatically assume a particular security identity)
? Run-as authentication (which is useful if one call should proceed with a different security identity)
? Java Authentication and Authorization Service (JAAS)
? Container integration with JBoss, Jetty, Resin and Tomcat (so you can still use Container Manager Authentication if desired)
? Your own authentication systems (see below)
许多独立的软件卖家 (ISVs)采用Acegi Security的原因就是它丰富的身份验证模型可供选择。Doing so allows them to quickly integrate their solutions with whatever their end clients need, without undertaking a lot of engineering or requiring the client to change their environment. If none of the above authentication mechanisms suit your needs, Acegi Security is an open platform and it is quite simple to write your own authentication mechanism. Many corporate users of Acegi Security need to integrate with "legacy" systems that don't follow any particular security standards, and Acegi Security is happy to "play nicely" with such systems.
有时候仅仅身份验证是不够的。Sometimes you need to also differentiate
security based on the way a principal is interacting with your application. For example, you might want to ensure requests only arrive over HTTPS, in order to protect passwords from eavesdropping or end users from man-in-the-middle attacks. 或者你
希望确认是一个真实的人在做请求而不是什么自动机器或者其他的什么自动程序在做请求操作。这个对于保护密码不被暴力破解还是很有帮助的,同样也会使得那些想复制你的应用程序内容变得很困哪。为了帮助你来完成这些功能,Acegi Security fully supports automatic "channel security", together with JCaptcha integration for human user detection.。
不管身份验证是如何实现的,Acegi Security提供了一套完整(a deep set)的身份验证能力。在身份验证中有三个主要的方面,他们是授权web请求(authorizing web request),授权方法响应(authorizing methods can be invoked)和授权单个领域对象访问权限(authorizing access to individual domain object instances)。To help you understand the differences, consider the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed Security and file system security respectively. Acegi Security provides deep capabilities in all of these important areas, which we'll explore later in this reference guide.
1.2. 历史
Acegi Security开始于2003年,Spring开发邮件列表收到这样一个问题,是否有考虑过基于Spring的安全实现方案。当时的Spring环境相对现在来说是很小的,而且Spring最早也是2003年作为一个SourceForge项目存在罢了。问题的回复是,这是一个非常有价值的领域,尽管现在没有什么时间,但也不能停止这方面的研究。
很快,一个简单的安全实现搞定了,但并没有发布。几周以后另外一个Spring团队询问到安全问题,这样这个简单的安全框架代码交给了他们。
Several other requests followed, and by January 2004 around twenty people were using the code. These pioneering users were joined by others who suggested a SourceForge project was in order, which was duly established in March 2004.
In those early days, the project didn't have any of its own authentication modules. Container Managed Security was relied upon for the authentication process, with Acegi Security instead focusing on authorization. This was suitable at first, but as more and more users requested additional container support, the fundamental limitation of container-specific authentication realm interfaces was experienced. There was also a related issue of adding new JARs to the container's classpath, which
was a common source of end user confusion and misconfiguration.
Acegi Security-specific authentication services were subsequently introduced. Around a year later, the Acegi Security became an official Spring Framework subproject. The 1.0.0 final release was published in May 2006 - after more than two and a half years of active use in numerous production software projects and many hundreds of improvements and community contributions. Today Acegi Security enjoys a strong and active open source community. There are thousands of messages about Acegi Security on the support forums. Fourteen developers work on the code itself, with an active community who also regularly share patches and support their peers.
1.3. Release Numbering
It is useful to understand how Acegi Security release numbers work, as it will help you identify the effort (or lack thereof) involved in migrating to future releases of the project. Officially, we use the Apache Portable Runtime Project versioning guidelines, which can be viewed at http://apr.apache.org/versioning.html. We quote the introduction contained on that page for your convenience: “Versions are denoted using a standard triplet of integers: MAJOR.MINOR.PATCH. The basic intent is that MAJOR versions are incompatible, large-scale upgrades of the API. MINOR versions retain source and binary compatibility with older minor versions, and changes in the PATCH level are perfectly compatible, forwards and backwards.”